228 lines
9.5 KiB
Diff
228 lines
9.5 KiB
Diff
From 945a85d4d7867d103d1a98093cc5122fadd55845 Mon Sep 17 00:00:00 2001
|
||
From: liuxinhao <liuxinhao@kylinsec.com.cn>
|
||
Date: Wed, 31 May 2023 14:19:54 +0800
|
||
Subject: [PATCH 4/5] fix(multi factor): Fixed an authentication failure caused
|
||
by disabling all authentication modes during multi-factor authentication
|
||
MIME-Version: 1.0
|
||
Content-Type: text/plain; charset=UTF-8
|
||
Content-Transfer-Encoding: 8bit
|
||
|
||
- 修复多因子认证时,关闭所有非密码认证,认证失败的问题,认证服务进行密码认证时放行,密码认证流程由PAM模块以及PAM配置管理
|
||
|
||
Closes #I79I33
|
||
---
|
||
data/kiran-authentication-service | 7 +++--
|
||
src/daemon/auth-manager.cpp | 1 +
|
||
src/daemon/session.cpp | 29 +++++++++++++------
|
||
src/daemon/session.h | 1 +
|
||
src/pam/authentication-graphical.cpp | 1 -
|
||
src/pam/authentication-terminal.cpp | 1 -
|
||
src/pam/authentication.cpp | 6 ----
|
||
.../kiran-authentication-daemon.zh_CN.ts | 11 +++++--
|
||
8 files changed, 35 insertions(+), 22 deletions(-)
|
||
|
||
diff --git a/data/kiran-authentication-service b/data/kiran-authentication-service
|
||
index afc7e17..e0f2763 100644
|
||
--- a/data/kiran-authentication-service
|
||
+++ b/data/kiran-authentication-service
|
||
@@ -1,5 +1,8 @@
|
||
-# NOTE:需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
|
||
+# NOTE:
|
||
+# 需要将/etc/pam.d/system-auth中pam_faillock中控制流程字段由required修改为requisite
|
||
# 若不修改,用户已锁定也能开始认证,无论认证是否成功都会失败,并且无提示。
|
||
+# sudo 若用户已锁定,仍然会尝试多次
|
||
+# sudo visudo ,添加'Defaults passwd_tries=1'行,将sudo尝试次数修改为1
|
||
|
||
# =========================认证配置项目================================ #
|
||
# 多路认证模式,成/功则认证通过,失败/切换到密码 跳过多因子认证模式
|
||
@@ -10,7 +13,7 @@ auth [success=done ignore=2 default=die] pam_kiran_authentication.so doauth
|
||
|
||
# 认证服务后续认证流程兼容,走系统错误计数failock, pam_debug只是修改认证状态值为成功
|
||
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
|
||
-auth required pam_debug
|
||
+auth required pam_debug.so
|
||
|
||
# 认证成功,清理内部记录错误次数
|
||
account required pam_kiran_authentication.so authsucc
|
||
\ No newline at end of file
|
||
diff --git a/src/daemon/auth-manager.cpp b/src/daemon/auth-manager.cpp
|
||
index 7ebef89..3d7aaf0 100644
|
||
--- a/src/daemon/auth-manager.cpp
|
||
+++ b/src/daemon/auth-manager.cpp
|
||
@@ -196,6 +196,7 @@ QList<int> AuthManager::GetAuthTypeByApp(int32_t authApp)
|
||
enabledAuthTypeIter++;
|
||
}
|
||
|
||
+ sortedAuthTypes << KAD_AUTH_TYPE_PASSWORD;
|
||
KLOG_DEBUG() << "get auth types by app:" << authApp << "result:" << sortedAuthTypes;
|
||
return sortedAuthTypes;
|
||
}
|
||
diff --git a/src/daemon/session.cpp b/src/daemon/session.cpp
|
||
index f24a697..e8c516b 100644
|
||
--- a/src/daemon/session.cpp
|
||
+++ b/src/daemon/session.cpp
|
||
@@ -128,17 +128,11 @@ void Session::StartAuth()
|
||
DBUS_ERROR_REPLY_AND_RET(QDBusError::AccessDenied, KADErrorCode::ERROR_USER_IDENTIFIYING);
|
||
}
|
||
|
||
- if (this->m_authType == KAD_AUTH_TYPE_NONE || this->m_authType == KAD_AUTH_TYPE_PASSWORD)
|
||
- {
|
||
- KLOG_WARNING() << m_sessionID << "auth type is invalid" << this->m_authType << ",start auth failed";
|
||
- DBUS_ERROR_REPLY_AND_RET(QDBusError::Failed, KADErrorCode::ERROR_FAILED);
|
||
- }
|
||
-
|
||
KLOG_DEBUG() << m_sessionID << "start auth";
|
||
this->m_verifyInfo.m_inAuth = true;
|
||
this->m_verifyInfo.m_dbusMessage = this->message();
|
||
this->startPhaseAuth();
|
||
-}
|
||
+}
|
||
|
||
void Session::StopAuth()
|
||
{
|
||
@@ -258,11 +252,15 @@ void Session::startPhaseAuth()
|
||
|
||
// 开始阶段认证前,通知认证类型状态变更
|
||
emit this->m_dbusAdaptor->AuthTypeChanged(this->m_authType);
|
||
+
|
||
switch (this->m_authType)
|
||
{
|
||
case KAD_AUTH_TYPE_UKEY:
|
||
startUkeyAuth();
|
||
break;
|
||
+ case KAD_AUTH_TYPE_PASSWORD:
|
||
+ startPasswdAuth();
|
||
+ break;
|
||
default:
|
||
startGeneralAuth();
|
||
break;
|
||
@@ -282,6 +280,14 @@ void Session::startUkeyAuth()
|
||
Q_EMIT this->AuthPrompt(tr("please input ukey code."), KADPromptType::KAD_PROMPT_TYPE_SECRET);
|
||
}
|
||
|
||
+void Session::startPasswdAuth()
|
||
+{
|
||
+ KLOG_DEBUG() << "The authentication service does not take over password authentication,ignore!";
|
||
+ this->m_verifyInfo.m_inAuth = true;
|
||
+ this->m_verifyInfo.m_authenticatedUserName = m_userName;
|
||
+ this->finishPhaseAuth(true,false);
|
||
+}
|
||
+
|
||
void Session::startGeneralAuth(const QString &extraInfo)
|
||
{
|
||
auto deviceType = Utils::authType2DeviceType(this->m_authType);
|
||
@@ -299,7 +305,8 @@ void Session::startGeneralAuth(const QString &extraInfo)
|
||
{
|
||
auto authTypeStr = Utils::authTypeEnum2Str(this->m_authType);
|
||
KLOG_WARNING() << m_sessionID << "start phase auth failed,can not find device,auth type:" << m_authType;
|
||
- Q_EMIT this->AuthMessage(tr(QString("can not find %1 device").arg(authTypeStr).toStdString().c_str()), KADMessageType::KAD_MESSAGE_TYPE_ERROR);
|
||
+ Q_EMIT this->AuthMessage(QString(tr("can not find %1 device")).arg(Utils::authTypeEnum2LocaleStr(this->m_authType)),KADMessageType::KAD_MESSAGE_TYPE_ERROR);
|
||
+
|
||
this->finishPhaseAuth(false, false);
|
||
return;
|
||
}
|
||
@@ -352,7 +359,11 @@ void Session::finishPhaseAuth(bool isSuccess, bool recordFailure)
|
||
break;
|
||
case KADAuthMode::KAD_AUTH_MODE_AND:
|
||
{
|
||
- this->m_authOrderWaiting.removeOne(this->m_authType);
|
||
+ if( this->m_authOrderWaiting.size() > 0 )
|
||
+ {
|
||
+ this->m_authOrderWaiting.removeOne(this->m_authType);
|
||
+ }
|
||
+
|
||
if (this->m_authOrderWaiting.size() == 0)
|
||
{
|
||
this->finishAuth(isSuccess, recordFailure);
|
||
diff --git a/src/daemon/session.h b/src/daemon/session.h
|
||
index 2998f73..a850237 100644
|
||
--- a/src/daemon/session.h
|
||
+++ b/src/daemon/session.h
|
||
@@ -98,6 +98,7 @@ private:
|
||
private:
|
||
void startPhaseAuth();
|
||
void startUkeyAuth();
|
||
+ void startPasswdAuth();
|
||
void startGeneralAuth(const QString &extraInfo = QString());
|
||
|
||
void finishPhaseAuth(bool isSuccess,bool recordFailure = true);
|
||
diff --git a/src/pam/authentication-graphical.cpp b/src/pam/authentication-graphical.cpp
|
||
index 619f3cf..2f104ac 100644
|
||
--- a/src/pam/authentication-graphical.cpp
|
||
+++ b/src/pam/authentication-graphical.cpp
|
||
@@ -64,7 +64,6 @@ void AuthenticationGraphical::notifySupportAuthType()
|
||
{
|
||
auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
|
||
QList<int> authTypeList = authType.value();
|
||
- authTypeList << KAD_AUTH_TYPE_PASSWORD;
|
||
|
||
QStringList authTypeStrList;
|
||
for (auto authType : authTypeList)
|
||
diff --git a/src/pam/authentication-terminal.cpp b/src/pam/authentication-terminal.cpp
|
||
index 5db6b1c..01d66c6 100644
|
||
--- a/src/pam/authentication-terminal.cpp
|
||
+++ b/src/pam/authentication-terminal.cpp
|
||
@@ -34,7 +34,6 @@ void AuthenticationTerminal::notifySupportAuthType()
|
||
{
|
||
auto authType = this->m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
|
||
QList<int> authTypeList = authType.value();
|
||
- authTypeList << KAD_AUTH_TYPE_PASSWORD;
|
||
|
||
QList<KADAuthType> tempAuthTypeList;
|
||
for (auto authType : authTypeList)
|
||
diff --git a/src/pam/authentication.cpp b/src/pam/authentication.cpp
|
||
index 6a165fd..06bc010 100644
|
||
--- a/src/pam/authentication.cpp
|
||
+++ b/src/pam/authentication.cpp
|
||
@@ -184,14 +184,8 @@ int Authentication::startAuthPre()
|
||
{
|
||
auto authTypeReply = m_authManagerProxy->GetAuthTypeByApp(m_authApplication);
|
||
QList<int> authTypeList = authTypeReply.value();
|
||
- if (m_authApplication == KAD_AUTH_APPLICATION_NONE || authTypeList.isEmpty())
|
||
- {
|
||
- this->m_pamHandle->syslog(LOG_DEBUG, QString("The pam service '%1' is unsupported or authentication type is not configured.").arg(this->m_serviceName));
|
||
- return PAM_IGNORE;
|
||
- }
|
||
|
||
this->notifyAuthMode();
|
||
-
|
||
RETURN_VAL_IF_TRUE(!this->initSession(), PAM_SYSTEM_ERR);
|
||
|
||
if (this->m_authManagerProxy->authMode() == KADAuthMode::KAD_AUTH_MODE_OR)
|
||
diff --git a/translations/kiran-authentication-daemon.zh_CN.ts b/translations/kiran-authentication-daemon.zh_CN.ts
|
||
index 4292ee7..8c03e2c 100644
|
||
--- a/translations/kiran-authentication-daemon.zh_CN.ts
|
||
+++ b/translations/kiran-authentication-daemon.zh_CN.ts
|
||
@@ -12,20 +12,25 @@
|
||
<context>
|
||
<name>Kiran::Session</name>
|
||
<message>
|
||
- <location filename="../src/daemon/session.cpp" line="201"/>
|
||
+ <location filename="../src/daemon/session.cpp" line="195"/>
|
||
<source>Please wait while the %1 request is processed</source>
|
||
<translation>%1认证请求正在等待处理</translation>
|
||
</message>
|
||
<message>
|
||
- <location filename="../src/daemon/session.cpp" line="281"/>
|
||
+ <location filename="../src/daemon/session.cpp" line="279"/>
|
||
<source>Insert the UKey and enter the PIN code</source>
|
||
<translation>请插入UKey并输入PIN码</translation>
|
||
</message>
|
||
<message>
|
||
- <location filename="../src/daemon/session.cpp" line="282"/>
|
||
+ <location filename="../src/daemon/session.cpp" line="280"/>
|
||
<source>please input ukey code.</source>
|
||
<translation>请输入PIN码。</translation>
|
||
</message>
|
||
+ <message>
|
||
+ <location filename="../src/daemon/session.cpp" line="308"/>
|
||
+ <source>can not find %1 device</source>
|
||
+ <translation>未能检测到%1设备</translation>
|
||
+ </message>
|
||
</context>
|
||
<context>
|
||
<name>Kiran::User</name>
|
||
--
|
||
2.33.0
|
||
|